Debian Bug report logs -
#354063
CVE-2006-0377: IMAP injection attempts
Reported by: Geoff Crompton <geoff.crompton@strategicdata.com.au>
Date: Thu, 23 Feb 2006 01:03:06 UTC
Severity: important
Tags: fixed-upstream, security
Found in version squirrelmail/2:1.4.4-7
Fixed in versions squirrelmail/2:1.4.6-1, squirrelmail/2:1.4.4-8
Done: Thijs Kinkhorst <kink@squirrelmail.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#354063; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
New Bug report received and forwarded. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: squirrelmail
Version: 2:1.4.4-7
Severity: important
The changelog at http://www.squirrelmail.org/changelog.php says for 1.4.6:
- Security: Prohibit IMAP injection attempts (reported by Vicente
Aguilera) [CVE-2006-0377].
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)
Versions of packages squirrelmail depends on:
ii apache [httpd] 1.3.33-6sarge1 versatile, high-performance HTTP s
ii apache-perl [httpd] 1.3.33-6sarge1 versatile, high-performance HTTP s
ii lighttpd [httpd] 1.4.9-4bpo1 A fast webserver with minimal memo
ii perl 5.8.4-8sarge3 Larry Wall's Practical Extraction
ii php4 4:4.3.10-16 server-side, HTML-embedded scripti
ii squirrelmail-locales 1.4.4-20050308-1 Translations for the SquirrelMail
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#354063; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(full text, mbox, link).
Message #10 received at 354063@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, 2006-02-23 at 11:44 +1100, Geoff Crompton wrote:
> - Security: Prohibit IMAP injection attempts (reported by Vicente
> Aguilera) [CVE-2006-0377].
Hello Jeff,
Thanks, I'm aware of it. I'm awaiting the 1.4.6 version which is to be
released any moment now.
Thijs
[signature.asc (application/pgp-signature, inline)]
Tags added: security, fixed-upstream
Request was from Thijs Kinkhorst <kink@squirrelmail.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: pending
Request was from www-data <www-data@wolffelaar.nl>
to control@bugs.debian.org.
(full text, mbox, link).
Message sent on to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Bug#354063.
(full text, mbox, link).
Message #17 received at 354063-submitter@bugs.debian.org (full text, mbox, reply):
# Fixed in r233 by kink
tag 354063 + pending
tag 354062 + pending
tag 354064 + pending
tag 355424 + pending
thanks
These bugs are fixed in revision 233 by kink
and will likely get fixed in the next upload.
Log message:
* New upstream release.
* Includes the following security fixes:
- Fix IMAP command injection in sqimap_mailbox_select
with upstream patch. [CVE-2006-0377] (Closes: #354063)
- Fix possible XSS in MagicHTML, concerning the parsing
of u\rl and comments in styles. Internet Explorer
specific. [CVE-2006-0195] (Closes: #354062)
- Fix possible cross site scripting through the right_main
parameter of webmail.php. This now uses a whitelist of
acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)
Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#354063; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(full text, mbox, link).
Message #22 received at 354063@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello all,
I've prepared updated packages for these bugs for oldstable, stable and
unstable. Please find those packages here:
http://www.a-eskwadraat.nl/~kink/squirrelmail/
The unstable packages are awaiting review and upload by Jeroen. Testing
will be updated within a few days after the unstable upload, if no big
problems are found.
Security team: here's a proposed advisory text.
===
Package : squirrelmail
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE IDs : CVE-2006-0377 CVE-2006-0195 CVE-2006-0188
Debian Bug : 354062 354063 354064 355424
Several vulnerabilities have been discovered in Squirrelmail, a
commonly used webmail system. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2006-0377
Vicente Aguilera of Internet Security Auditors, S.L. discovered a
CRLF injection vulnerability, which allows remote attackers to
inject arbitrary IMAP commands via newline characters in the mailbox
parameter of the sqimap_mailbox_select command, aka "IMAP
injection." There's no known way to exploit this yet.
CVE-2006-0195
Martijn Brinkers and Scott Hughes discovered an interpretation
conflict in the MagicHTML filter that allows remote attackers to
conduct cross-site scripting (XSS) attacks via style sheet
specifiers with invalid (1) "/*" and "*/" comments, or (2) slashes
inside the "url" keyword, which is processed by some web browsers
including Internet Explorer.
CVE-2006-0188
Martijn Brinkers and Ben Maurer found a flaw in webmail.php that
allows remote attackers to inject arbitrary web pages into the right
frame via a URL in the right_frame parameter.
For the old stable distribution (woody) these problems have been fixed in
version 1.2.6-5.
For the stable distribution (sarge) these problems have been fixed in
version 2:1.4.4-8.
For the unstable distribution (sid) these problems have been fixed in
version 2:1.4.6-1.
We recommend that you upgrade your squirrelmail package.
===
I'm glad to hear any comments on the packages.
thanks,
Thijs
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#354063; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(full text, mbox, link).
Message #27 received at 354063@bugs.debian.org (full text, mbox, reply):
Thijs Kinkhorst wrote:
> Hello all,
>
> I've prepared updated packages for these bugs for oldstable, stable and
> unstable. Please find those packages here:
> http://www.a-eskwadraat.nl/~kink/squirrelmail/
Thanks a lot. I did a cursory check and everything looks fine. I'll review
in detail and prepare a DSA tonight or tomorrow.
Cheers,
Moritz
Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #32 received at 354063-close@bugs.debian.org (full text, mbox, reply):
Source: squirrelmail
Source-Version: 2:1.4.6-1
We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:
squirrelmail_1.4.6-1.diff.gz
to pool/main/s/squirrelmail/squirrelmail_1.4.6-1.diff.gz
squirrelmail_1.4.6-1.dsc
to pool/main/s/squirrelmail/squirrelmail_1.4.6-1.dsc
squirrelmail_1.4.6-1_all.deb
to pool/main/s/squirrelmail/squirrelmail_1.4.6-1_all.deb
squirrelmail_1.4.6.orig.tar.gz
to pool/main/s/squirrelmail/squirrelmail_1.4.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 354063@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated squirrelmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 7 Mar 2006 14:56:06 +0100
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.6-1
Distribution: unstable
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description:
squirrelmail - Webmail for nuts
Closes: 354062 354063 354064 355424
Changes:
squirrelmail (2:1.4.6-1) unstable; urgency=high
.
* New upstream release.
* Includes the following security fixes:
- Fix IMAP command injection in sqimap_mailbox_select
with upstream patch. [CVE-2006-0377] (Closes: #354063)
- Fix possible XSS in MagicHTML, concerning the parsing
of u\rl and comments in styles. Internet Explorer
specific. [CVE-2006-0195] (Closes: #354062)
- Fix possible cross site scripting through the right_main
parameter of webmail.php. This now uses a whitelist of
acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)
Files:
f982571d61dcbf187c5247eaa3d6bd06 738 web optional squirrelmail_1.4.6-1.dsc
da9e22416fca21ed0636458641187cdb 599318 web optional squirrelmail_1.4.6.orig.tar.gz
d91d57f8b7a65c9600d04dea8ca6a227 17984 web optional squirrelmail_1.4.6-1.diff.gz
7f0cd54f915be5be41f71ddb445fbe8c 594826 web optional squirrelmail_1.4.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
iD8DBQFEEXoHl2uISwgTVp8RAsELAJ0VuUEDG+9SoJcrSMNDRPfY8dWXuwCeOhXM
J7AMhLsHIKuGVdcK3YiSmNY=
=0ZCh
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #37 received at 354063-close@bugs.debian.org (full text, mbox, reply):
Source: squirrelmail
Source-Version: 2:1.4.4-8
We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:
squirrelmail_1.4.4-8.diff.gz
to pool/main/s/squirrelmail/squirrelmail_1.4.4-8.diff.gz
squirrelmail_1.4.4-8.dsc
to pool/main/s/squirrelmail/squirrelmail_1.4.4-8.dsc
squirrelmail_1.4.4-8_all.deb
to pool/main/s/squirrelmail/squirrelmail_1.4.4-8_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 354063@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated squirrelmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 7 Mar 2006 13:08:55 +0100
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.4-8
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description:
squirrelmail - Webmail for nuts
Closes: 354062 354063 354064 355424
Changes:
squirrelmail (2:1.4.4-8) stable-security; urgency=high
.
* Fix IMAP command injection in sqimap_mailbox_select
with upstream patch. [CVE-2006-0377] (Closes: #354063)
* Fix possible XSS in MagicHTML, concerning the parsing
of u\rl and comments in styles. Internet Explorer
specific. [CVE-2006-0195] (Closes: #354062)
* Fix possible cross site scripting through the right_main
parameter of webmail.php. This now uses a whitelist of
acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)
Files:
140546ee9c0534419ddcaf3c7e632110 678 web optional squirrelmail_1.4.4-8.dsc
f50548b6f4f24d28afb5e6048977f4da 575871 web optional squirrelmail_1.4.4.orig.tar.gz
15ddd8f4db234006a1ac290087640dfc 24654 web optional squirrelmail_1.4.4-8.diff.gz
2087dcea05cd5e1c4033f15cf120761a 570472 web optional squirrelmail_1.4.4-8_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEDvGxXm3vHE4uyloRAn2ZAJwN1Zs9zK3jMUyh9xRrr4HUtmOQNwCeLy4L
/FHjFyLK/gah47AB2DoXg74=
=Nfw/
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #42 received at 354063-close@bugs.debian.org (full text, mbox, reply):
Source: squirrelmail
Source-Version: 2:1.4.4-8
We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:
squirrelmail_1.4.4-8.diff.gz
to pool/main/s/squirrelmail/squirrelmail_1.4.4-8.diff.gz
squirrelmail_1.4.4-8.dsc
to pool/main/s/squirrelmail/squirrelmail_1.4.4-8.dsc
squirrelmail_1.4.4-8_all.deb
to pool/main/s/squirrelmail/squirrelmail_1.4.4-8_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 354063@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated squirrelmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 7 Mar 2006 13:08:55 +0100
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.4-8
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description:
squirrelmail - Webmail for nuts
Closes: 354062 354063 354064 355424
Changes:
squirrelmail (2:1.4.4-8) stable-security; urgency=high
.
* Fix IMAP command injection in sqimap_mailbox_select
with upstream patch. [CVE-2006-0377] (Closes: #354063)
* Fix possible XSS in MagicHTML, concerning the parsing
of u\rl and comments in styles. Internet Explorer
specific. [CVE-2006-0195] (Closes: #354062)
* Fix possible cross site scripting through the right_main
parameter of webmail.php. This now uses a whitelist of
acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)
Files:
140546ee9c0534419ddcaf3c7e632110 678 web optional squirrelmail_1.4.4-8.dsc
f50548b6f4f24d28afb5e6048977f4da 575871 web optional squirrelmail_1.4.4.orig.tar.gz
15ddd8f4db234006a1ac290087640dfc 24654 web optional squirrelmail_1.4.4-8.diff.gz
2087dcea05cd5e1c4033f15cf120761a 570472 web optional squirrelmail_1.4.4-8_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEDvGxXm3vHE4uyloRAn2ZAJwN1Zs9zK3jMUyh9xRrr4HUtmOQNwCeLy4L
/FHjFyLK/gah47AB2DoXg74=
=Nfw/
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 04:42:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:15:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon